Zapp has been getting a lot of press coverage these past few days, no doubt to help bolster their fund raising efforts. (Read an article here at Finextra and have a look through the comments made too, very insightful) The company that hopes to deliver mobile payments for UK banks is trying to raise £100m on-top of the £16m funding it has already received to date. But what is Zapp? What will it deliver?

Zapp, great concept or dead end idea?

We must start with the cold fact that Zapp has not got an actual solution for mobile payments. Zapp has to date delivered nothing in terms or architecture and physical code. With that in mind, everything we read from Zapp is vision based, it’s fluffy and isn’t backed by something tangible like an actual real live working environment. So we must take their comments on what they can deliver with a little pinch of salt, as no one as yet has tried to deliver what they are claiming.

The proposition

So let’s now look at the proposition in the wake of Zapp announcing a number of major banks signing up to their solution. When you first read articles or headlines regarding Zapp, you may believe that Zapp has access to your bank account, and that means they can complete payments directly from your bank account for you. The fact is, this is wrong. Zapp does not have direct access to any consumer’s bank account, not ever consumers of those banks that have signed up to the Zapp vision. In addition, Zapp doesn’t have access to faster payments either, again something that many believe they do have. So what do they have that warrants the headlines coming from Zapp….

Well, what they have is an understanding with the signed up banks to be able to send information from their Zapp wallet app to the banks mobile banking app. This information is pretty basic, essentially it’s a reference, an amount and a destination bank account. So in the world of Zapp, you use your Zapp wallet to get a transaction under way, however, in order to actually pay, you are then pushed from your Zapp mobile app into your banks mobile banking application. There you input your PIN for your banks mobile app and then confirm the faster payments transaction that Zapp has set up for you. Complete it in your banks mobile banking app, and then back to the Zapp app you go. It’s also this integration that lets Zapp show you your bank balances in the Zapp app (no direct access to your bank account at all, rather a copy of functionality from Microsoft’s Wallet and Apples Passbook, reading data from other apps).

Great concept or dead end idea?

So, is this a winning mobile solution? Should companies like PayPal, Visa, MasterCard, CloudZyncbe worried. Well the short answer is no. Zapp isn’t offering anything that hasn’t been shown before. Zapp isn’t providing me as a consumer with any incentive to use the app, nor are they providing any incentive to a business to accept Zapp mobile payments. The experience isn’t even one that sounds “cool” for a consumer. Moving between two apps to manually authorise a bank payment is not exactly smooth. But, you can see why the banks they have on board are interested, these are all banks that have no form of P2P transaction apps, nor any foot in the door of the mobile payments industry. Of course they are going to sign up to Zapp, after all the promise is Zapp delivers mobile payments through their own current banking apps. The real proof that Zapp offers nothing new or an experience that consumers will opt for can be seen by looking at Barclays position. Barclays have NOT signed up to Zapp, and you can see why. Why would they, when Zapp is simply a very clunky vision of Barclays own Pingit/buyit app, of which isn’t pie in the sky, is an actual app already out there in the wild with millions of downloads and one that works a lot smoother than the Zapp proposition.

Mobile payments will not take off if we view them as simply an evolution of card payments onto mobile, and this is where Zapp is standing. There is no point for consumers or businesses to invest time and money in an evolution that delivers no improvement for either party. Mobile payments will only succeed when there is incentive and added value to a transaction, and that is why companies like CloudZync and their Zwallet mobile app are light years ahead of the competition. Wrapping other peoples technology to try and make something a little smoother (such as inputting payment information for a faster payments transaction) isn’t visionary and its hardly innovative. When we look at mobile and digital wallets, they need to be innovative, they need to provide real tangible and easily measurable incentives to businesses and consumers to make a conscious effort to use mobile phone as opposed to cards and cash. That’s exactly what Zwallet delivers…

Zapp future

I have no idea what’s ahead for Zapp. I am sure they can deliver the technology to wrap a banks mobile app, it’s hardly rocket science and they aren’t attempting to solve anything that hasn’t been solved already. The question really regarding Zapp is why do they need that size of investment? Do they have anything else planned or is it all marketing, marketing and more marketing money? Who knows.

What I do know is that Zapp is already behind the competition, and has a lot of thinking outside of the box to do if it wants to deliver experiences that get close to its competitors…

People may think I’m not being serious with this post title, but I really am. These past few weeks yet more examples of security not being taken seriously in the payments market have emerged. It started with an article I read on Finextra regarding Google bypassing the secure element on an Android phone for NFC based transactions. It’s the launch of HCE (Host Card Emulation).

HCE and NFC

I’m not going to go into too many details and technicalities about it, but my own take on the whole situation with HCE, NFC and Google is that Google and the card schemes are changing the rules in which payments are supposed to be made. They are doing this to better fit with their own solutions, and to potentially lock out ventures like ISIS in the US and WEAVE here in the UK and at the risk of security.

There are strict reasons behind PCI compliance and the use of EMV (secured chip and pin to most of us) and it seems that these are now causing issues for Google and others, so instead of looking for real solutions they change the rules. A great take on this can be found on finextra here

QR/Barcodes in transactions

These are the choice of many payment solutions out there, including my own companies CloudZync with Zwallet. However, QR and Barcodes are easy to create, especially static ones, so using these for passing payment information has to be taken into consideration, and I would never allow an authorisation of a payment to be made just because a valid code has been scanned. Yet I have witnessed many solutions out there now that do this…

With Zwallet we always make sure the consumer is involved in the authorisation process fully, so we keep intelligence in the process at the cost of 1 second in the transaction process. For me, 1 extra second making a payment is well worth it to aid in security. (I would like to point out that Zwallet transactions are still dramatically quicker than typical card based transactions, even with the added 1 second for security).

Security underlying cause for concern?

So what is the underlying cause of security concerns with payments? What really causes so much effort to go into technology a trying to patch security issues or catch fraud post a transaction? The answer is the actual card scheme itself and the infrastructure behind it.

Let’s be real. Cards are amazing. For the last 40 years they have steadily dominated the way in which most of us pay for goods and services. But, has security increased much in that time? A little is the answer. There is a lot more technology backed behind it, but fraud is back on the rise again, so we must ask ourselves why. And the answer is simple, cards were never designed for the digital economy. Everything that we do to utilise the card infrastructure is a cludge, a patch/hack in tech terms. All this technology and security to try and secure something that is very insecure, 16 digits on a card, mixed with two dates and 3 digits on the back. If we lose control of those details then a fraudster can do whatever they want with our cards, and that’s why so much is invested in fraud detection post a transaction and so much is invested in risk management.

My fear is, while card based transactions using Chip and Pin remain ok, the way we use cards digitally isn’t so secure. Throw into the mix mobile payments and companies actively trying to utilise card details in their solutions to make payments, and holes start to appear. In essence, trying to use technology to secure something that by its nature is not secure causes all sorts of issues. And though great lengths to make things much more secure are possible, the costs behind these rack up.

No matter how you try to secure card details, or to what lengths you go, the fact remains that the infrastructure for cards requires those simple card details, and fraudsters are becoming increasingly intelligent, innovative and capable of getting their hands on those details and using them.

The security solution

The only real secure option is to start with a blank sheet of paper for payments and wake up and realise that the digital economy requires payments to be carried out on an infrastructure that is designed for digital transactions from the ground up. It also MUST include more human elements in the process and not just require everything to be automated.

Real intelligence still remains with the consumer and the business. By removing them from the process more and more, we may make the payment process a little quicker, but we increasingly make it less secure. After all, the process of me having to know my PIN to make a payment is far more secure if I have lost my card, compared to just waving my card in front of a reader and making a payment.

These are the reasons behind the security approaches we have at CloudZync, the reasons why we make sure the consumer has to actively be involved in the purchase process and actively have to authorise each and every payment. If we remove them too much, then there are more gaps for fraudsters to exploit.

I’m not saying everything can be 100% secure, it simply can’t, and intelligent innovative fraudsters will always find a way to exploit processes and technology, but we must actively make it as hard as possible, and currently, in the race to stamp authority on possibly the payments method of the future, security seems to be being overlooked…That is a great concern of mine, and should be a great concern for each and every consumer out there and business owner…

I’ve seen few articles on countries now looking to finally move away from mag-strip debit and credit cards, ditching signatures and opting for EMV chip and pin cards. This is the most recent I’ve read, “Bank of Israel sets deadline for EMV switch”. But what makes me chuckle a little is that EMV is really old hat now, so to start moving to EMV in the next 3 years seems a little out dated already.

In a recent article on Finextra, Bank of Israel sets a deadline for moving from mag-strip to EMV, banks and card schemes have been given 3 and half years to make that switch. In that time, surely many more of us smart phone users will be looking to mobile transactions, so the move seems just like the move from CD to MiniDisc – one with a very short lifespan and rather large investment…(Keep in mind the numbers of smart phone users as opposed to dumb phone users is increasing daily)

Card schemes are big

Yes, most of us have a card and therefore card schemes will be with us for a very, very long time. But moving forward, the role cards play in our lives will only get smaller and smaller. With this in mind, is it worth making the investments to move to EMV? Why not now at this late stage stick with what you have and await a mobile revolution?

Go mobile

If I were the head of a large bank in this situation I obviously would be looking at migrating to EMV because I am being forced to. If I wasn’t being forced to, I think I would be tempted to leave things as they are. After all the switch will not be cheap, it will also involve lots of customer relations with businesses and no doubt (just like in the UK) waves of consumers complaining about using a PIN (though we seem to love Chip and Pin now).

But my main focus I believe would be looking at pure mobile schemes, looking at what’s out there and how my customers will want to access and spend funds via their mobile devices. (Obviously I would be looking at CloudZync’s infrastructure and technology 😉 but maybe I am very biased on this)…

CD to mini-disc to MP3

Currently updating a card scheme, be it to EMV or containing LCD displays in a card, or pairing cards to Bluetooth apps on phones seems, well, very pointless. Many of us believe the physical card will play a smaller role in our future lives, so why keep investing in it? After all, would you as an IT company keep developing and spending money on solutions that had a shelf life of only a few years? Or would you be looking at a longer game plan?

Maybe I’m being harsh on “mini-disc” here, at least Sony were not that aware of the pending doom just a few years down the line with MP3 players (especially the iPod). They were taken by surprise the uptake and demand in MP3 and as such, mini-disc (though a great invention) died a quick death. Here with cards, it seems we have already foreseen their death, and yet we simply ignore it and plough on forward….curious….